8 hard truths about working in cybersecurity

Take these lessons from an experienced IT pro so you don’t have to learn them the hard way.

My career working as a system administrator has involved a hefty amount of exposure to the cybersecurity realm, particularly while working for financial organizations. As data breaches continue to occur through a myriad of exploits (both technological and through human error) the stakes are constantly rising. We’ve reached a level where careers are built – and lost – based on protecting corporate assets.

Whether you’re contemplating a career in cybersecurity or have already started down the path, here are some frank observations which can help guide you in your career.

1. Information only goes so far

Information is great; after all, we work in IT which stands for information technology. However, when it comes to providing information to users regarding security concepts to adhere to or watch out for, don’t assume it’s an end-all, be-all strategy or a done deal the moment you click send.

For instance, telling users not to click on suspicious email links does not automatically mean they will comply. Likewise, warnings grow stale or forgotten over time, rendering them less useful. Emails often go unread or misplaced, so there’s even less of a guarantee of compliance. Prepare to be more engaged.

2. Policies are good, but having technological controls to back them up is better

Security policies to dictate what users can and cannot do are useful for establishing expectations and boundaries. Example policies on TechRepublic’s sister site, Tech Pro Research cover the following areas:

However, make sure to enact technological controls to go along with these policies such as enforcing complex passwords, encryption of storage devices, monitoring and alerting for security violations and other tools.

3. Clueless users are a bigger threat than malicious hackers

Hackers know this. This is why social engineering is so powerful; it’s far easier to convince a hapless user you’re from the IT department and need their password to fix a non-existent problem than it is to try to guess or crack said password, even with brute force techniques.

It’s also important to keep in mind that ignorance far outweighs evil intent when one of your users does something inappropriate such as visiting a suspicious website or trying to log into an unauthorized system. That’s why policies will help reduce the amount of mistakes or ill-advised actions.

4. Cybersecurity is only glamorous in the movies

It’s rare that Hollywood depicts cybersecurity accurately. I’m surprised and pleased if a movie so much as references the concept of an IP address. Most of the time “busting hackers” is made to look intriguing and cool; cybersecurity pros are depicted at an almost James Bond level of brilliance and sophistication.

Sadly, the reality of cybersecurity is less about catching criminals red-handed through a fiendishly clever trap and more about the daily drudge work. Watching someone combing through logs, applying patches, attending training and reading security advisories would hardly sell a movie ticket.

5. Automation is key

It’s essential to learn and utilize whatever centralized controls you can use to enact security changes such as locking down vulnerabilities or patching systems. Relying on Group Policy Objects, configuration management tools like SCCM or Puppet, and even simple bash scripting to execute a “for” loop will save hundreds of hours over the course of your career. They will also operate more effectively than manual human intervention, reducing the risk of error or mishap.

6. You can never test enough

Before rolling out any security-related changes always make sure to thoroughly test these in an environment as similar to your live production environment as possible. Some of these changes can be vastly complex and lead to unexpected results, however.

For instance, disabling the antiquated TLS (Transportation Layer Security) 1.0 protocol can lead to issues with older SQL databases, and the connection between the change and the resulting problem may not be immediately evident. Always thoroughly analyze the results for both users and systems when applying changes in a test environment.

7. Being the good guy pays peanuts

It may sound depressing, but as my police officer friends can relate, contrary to the cliche, crime does pay. A hacker who conducts a data breach can become rich overnight, a cybersecurity pro might work an honest job for thirty years without yielding the same payoff.

My point is not to argue that it’s better to lead a life of crime, but if you’re going to be the good guy understand the bad guys have a vast monetary incentive to do what they do, so thwarting them makes it tougher when they’re motivated by avarice. Avarice will cause people to do unbelievably outlandish or desperate things, as opposed to honest people earning a steady (if merely comfortable) paycheck.

8. Security is a journey, not a destination

The only truly secure system is one kept behind a locked door, taken off the network and therefore rendered completely inaccessible. But wait, as long as that door has a key in someone’s possession, it’s still possible that system could end up compromised.

There’s truly no such thing as perfect security, or a completely locked down environment. The cybersecurity professional’s job is never truly done; it’s only “done for now.”